Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Barence writes "Speaking exclusively to PC Pro, Eugene Kaspersky has claimed Apple has repeatedly refused to deliver the software development kit necessary to design security software for the phone. 'We have been in contact for two years with Apple to develop our anti-theft software, [but] still we do not have permission,' said Kaspersky. Although he admits the risk of viruses infecting the iPhone is 'almost zero,' he claims that securing the data on the handset is critical, especially as iPhones are increasingly being used for business purposes. 'I don't want to say Apple's is the wrong way of behaving, or the right way,' Kaspersky added. 'It's just a corporate culture — it wants to control everything.'"

If there's anything we learned from the PC universe, it's that many people would rather have viruses run transparently in the background than have their machines slow to a crawl because of overbearing security suites that often don't even identify proper threats.

Having tried the iPhone, I think it's a decent gadget, but it's not fast enough to be able to take performance hits from inefficient security suites.

If there's anything we learned from the PC universe, it's that many people would rather have viruses run transparently in the background than have their machines slow to a crawl because of overbearing security suites that often don't even identify proper threats.

That's a very interesting point. Virus used to wreak havoc on the targeted computer and destroy files, reboot the machine, etc... Nowadays, all that they hope for is to be able to steal stealthily a few percent of resources and bandwidth. About the same as the antivirus except he is not very stealthy about it.

f there's anything we learned from the PC universe, it's that many people would rather have viruses run transparently in the background than have their machines slow to a crawl because of overbearing security suites that often don't even identify proper threats.

I'm not sure what PC universe you spend time in, but in mine most users prefer both. They love to run the overbearing security suites because then they *know* they're secure, and don't have to worry about all those weird other things running transparently in the background.

That's not even the worst of it. The worst of it is that in order for Kaspersky's suite to do anything useful, you'd have to give it full access to the machine. If you give it full access to the machine, suddenly you're *less* secure, because you installed a "security app." So not only do your batteries last a quarter as long, you'll probably get a virus you couldn't have got otherwise.

The iPhone has enterprise tools available for anti-theft, too. It can encrypt all data by default and remotely wipe the device, and even end users can get the GPS coordinates of the device if they have MobileMe.

Their control of the App Store is abusing and ridiculous, but i don't see a lack of anti-theft features here.

Just because the iPhone has similar functionality built in doesn't mean 3rd party vendors shouldn't be able to compete. I happen to be writing this comment with Firefox on a machine that came with IE already...

Also, doesn't change the fact that he was clueless what the article was about.

Just because the iPhone has similar functionality built in doesn't mean 3rd party vendors shouldn't be able to compete. I happen to be writing this comment with Firefox on a machine that came with IE already....

Apple doesn't want to give developers access to the API's to do things like remote wipe. So they either block everyone from doing it or they make an exception for certain vendors. Apple isn't very big on making exceptions for any external company, even Google gets the choice of doing it the Apple way or hitting the highway. Nobody seems to mind in this case except the anti-virus cartel who are seeing their core market melt way now Windows is becoming secure and they don't have a foothold in this decade's growth market, mobile devices.

Disclaimer: I do NOT work for Good technology, but was recently asked to research the use of iPhone, WebOS and Droid in my company's enterprise environment and Good is pretty much the very best of the best out there from what I could tell.

It can encrypt all data by default and remotely wipe the device, and even end users can get the GPS coordinates of the device if they have MobileMe.

I know this, because I work for an iPhone nut.

If you're a business user, you're using Exchange 2007 with ActiveSync to remotely manage the iPhone and deliver email. If you've got a wish to drive yourself insane, you're also using MobileMe on that same device.

MobileMe has some neat features, but quite frankly it's complete bullshit that those features (Find my iPhone et. al.) are mutually exclusive from a phone with an ActiveSync binding. MobileMe + ActiveSync is highly discouraged by all of the Apple support reps I've spoken with, and to date, my boss has had nothing but nightmares involving the combination of the two.

Getting those two to work together is as easy as controlling two computers with Synergy.

It's interesting that you chose Synergy as your example. Synergy is a royal pain in the ass to configure for all but the most logical and technical minded people.

For a user who doesn't understand how contacts are stored, where they come from, or why they end up getting duplicated (or at least appear to be that way) without making a really stupid car analogy that won't actually transfer back to referenced analogous use of the device... I'll presume you get the idea.

Every single one of them useless the moment I turn off the phone and clip the antenna wires so it can't get a signal or just add more wire to completely fuck the antenna. Then it's free reign and I can take all the time I want breaking the encryption.

Been there, done that, give me something that's actually new and interesting. I have many friends with iPhones and they're always bringing them to me. Anything Apple can do I've already got circum

There is also a lot of iPhone software that phones home, and here's the problem, the app store as a security measure is a complete and utter myth. The app store is NOT about security, it does not make you magically protected. It's also worth noting that Apple boasts about having hundreds of thousands applications on it's app store- is anyone really naive enough to believe that Apple is capable of doing a full security audit on each and every one of these applications?

Except that the iPhone isn't the only phone you can buy and thus you don't have to put up with the rules Apple sets for it's App store unless you choose to buy an iPhone. Thus your analogy falls completely apart.

Their control of the App Store and anti-jailbreaking measures are because of one reason: Apple wants to avoid bad publicity.When there was this rash of rickrolled iPhones a few months back, most media reported it, but very few mentioned that it only affected jail broken phones. Apple wants to avoid getting into the news like that, because their brand is the most important asset they have.

The reason he had to jailbreak his iPhone, no doubt, is because otherwise it would have been completely impossible to write a firewall for it, or to hide the phone's UDID.

How about you actually read his blog? The apps he was testing are from the AppStore...

And not unique to the iPhone, since there are APIs to get the same thing off of every other phone out there - Android, Blackberry, Symbian, Windows Mobile, and probably Windows Phone as well. APIs like getting the phone number and/or IMEI, software versio

Just recently, the EFF showed that [eff.org] seemingly-innocuous information is probably enough to uniquely identify you from the hundreds of thousands or millions of visitors to a particular site. And that’s not even on the same playing field as a vendor-assigned unique device ID.

You know who else has your phone number? EVERYONE.

No. Nobody has my phone number except the people I’ve given it to.

AT&T has your phone number too...where is the uproar?

And I’m pretty sure they can’t sell it to 3rd parties without my consent.

You'd better read it again (like I just did). To me, the site is quite agnostic toward jail-breaking, and is no less useful to someone with a non-jailbroken device. I believe I feel the same way about jailbreaking as you do (currently not considering jailbreaking my device, fairly sure I'll never do it), but as another poster has said: There's not a chance in hell that Apple have properly audited all the application for security, and it's flat out impossible they'd be able to do so adequately anyway (they

You'd better read it again (like I just did). To me, the site is quite agnostic toward jail-breaking, and is no less useful to someone with a non-jailbroken device. I believe I feel the same way about jailbreaking as you do (currently not considering jailbreaking my device, fairly sure I'll never do it), but as another poster has said: There's not a chance in hell that Apple have properly audited all the application for security, and it's flat out impossible they'd be able to do so adequately anyway (they don't audit the source). The App Store is not about that at all.

Apple may not audit the source but they do have analysis tools [appleinsider.com] to scan for the use of non-public APIs. This provides some security but everything you can do with the public API's will not get checked, unfortunately this includes phoning home some information (because there are times when this behavior is wanted.) So this guy should be applauded for taking the time to check a lot of applications for this kind of behavior and shaming the ones that do.

Very simple. Liability. I would think it would be possible for a lawyer to make the claim that if Apple's product broke causing the loss, AND that Apple actively blocked --potentially-- better products from working, that they then assumed liability for any damage their original product failed to protect. Right now, liability limitations exist because the user has a choice. "We deny all liability, because you read this and still chose to use our product". But with ACTIVELY suppressing competition, aren't they removing that choice, and hence opening themselves up to liability (Since you had no choice in the first place)?

I would think it would be possible for a lawyer to make the claim that if Apple's product broke causing the loss, AND that Apple actively blocked --potentially-- better products from working, that they then assumed liability for any damage their original product failed to protect.

Based on exactly what statutory or case law do you base this assertion on?

But with ACTIVELY suppressing competition, aren't they removing that choice, and hence opening themselves up to liability (Since you had no choice in the first place)?

No, they aren't. You do not assume responsibility for anything just because someone would like you to do something and you choose not to. Apple would have to deliberately or at least constructively assume responsibility for the data. It's plausable a class-action could attempt to claim the product failed to deliver on features the consumer rea

Why would they want another app in the background using the phone's resources to duplicate the functionality of MobileMe? Good question.It's not like this app would be functional if it only ran in the foreground.Yet another guy whining because he has a shitty concept for an app with no user benefit that has been rejected. That there exist other shitty apps on the app store doesn't make his any better or warrant an exception by Apple.

Kaspersky's not blocked from using the SDK, he can use the same one all other developers are using and can use the same APIs. He could even call private APIs and run his software on his own device, it would just mean he couldn't sell it through the appstore.

I was, rather, replying specifically to GGP's claim that Apple is morally in the right to forcibly prevent third-party development for its platform if it competes with its own services.

I see. That's just Apple's philosophy: the iphone isn't hard- or software to them but a combination of both plus the way the user interacts with its basic functions. You may think it's bullshit but as Kaspersky himself points out there are plenty of people out there willing to sell you a device with a different philosophy. I don't know why people have such a sense of entitlement when it comes to iPhone development. Just move to a different platform, enjoy that luxury that wasn't there for such a long time o

Where in this story is it mentioned that anyone is forbidden from using an SDK? Kaspersky was whining that there was no SDK delivered that would aid in developing 3rd party security software. Not that he was forbidden from using some existing SDK. Maybe next time you should read the summary more than once in order to actual comprehend it?

Not really. Microsoft in the early days turned a blind eye to rampant piracy of its software in order to gain marketshare. The entire Microsoft model of creating software than runs on everyone else's hardware is not about control, it's about network effects.

Microsoft obviously has bullied hardware OEMs and other companies, engaged in FUD, and so on. But from its sloppy user experience to its "slap this OS on any hardware you can" mentality, Microsoft's idea of control is not the same a

.which is one way of preventing malware, it's working pretty well so far for that platform.

Depends on your definition of malware. Spyware is rife on the app store. Pinch Media's analytics tracking is all over the app store.. more than 30 million downloads contained their tracking software... at least according to Pinch Media itself.

Here is everything that apps with pinch media analytics are sending to them:

Your iPhones unique ID, iPhone model and OS version, application info, whether or not the iphone is jailbroken, whether or not the application is pirated, time & date you start and stop the application, your current latitude & longitude, and if facebook is installed on your iphone, your gender and birthday.

I'd like to add that Kaspersky's worthless method of validating their desktop PC client's anti-virus subscription's expiry date is "the wrong way of behaving" too!We have their corporate AV product where I work, and every few weeks, I get a phone call from at least someone who says their anti-virus stopped updating, and keeps popping up a warning about "black.lst" being missing or corrupt. I wind up forcing a manual refresh from the server console and eventually, it realizes it IS still a legally licensed

I'm not familiar with mac development, but the "SDK" in question would basically be kernel internal functions docs/unreleased API docs, yes? There may be other reasons besides appstore control freakery that they don't want to release and/or license that out? And even if Kaspersky would reverse-engineer the necessary parts of the kernel, which they obviously could (and their employees probably already partially have, unofficially) they would be sued to hell and back if they used that data in a product (which

The antivirus companies have been pushing antivirus software for handheld devices since 1999.

In the succeeding decade... so far as I'm aware... the damage caused by viruses on handhelds, ALL handhelds, has been less than the damage due to one false positive incident caused by Norton Antivirus shortly after the pointless hubbub over the Palm "Phage" malware.

False positives suck. Antivirus software is also virtually useless for all but the very oldest viruses. I went through a long process of reporting a virus going to my customers several times per minute. It took 6 months to get the big three I wanted to list the virus to actually list it. 6 months.

This whole signature based BS has got to stop. Frequent false positives (and they happen all the time) aren't even the worst thing about this "technology."

My guess it's the simple fact that one program still can't really interact with another program's data.

The likelihood of Apple ever really changing this is probably next to zero, and it's the main reason I have no interest in the iPhone. What use is a computer in my pocket when I either need to use one program that is complex enough to handle every task I could possible need, or I need to make my tasks so simple that no data need ever be shared between two tools?

It appears that Kaspersky is butthurt because it sees a potential market for more crap we don't need and the controllers of that market don't want, and have the ability to lock them out of that market.

From Apple's point of view, they have remote wipe on both the corporate and personal levels already. And having somebody inside your shorts providing duplicate functionality is fail from top to bottom. I'm surprised that apple even answered the phone when they saw who was calling.

Also Kaspersky can have the SDK anytime they want, it's free. They will have to pay $99 to actually deploy the apps though. What they want is a super special "inside your shorts" SDK that I'd bet isn't coming anytime soon.

I'm undecided on whether this particular behavior on Apple's part is a bad thing (as opposed to other cases, like the Google Voice one, where I'm sure it's a bad thing, and the Opera Mini one, where I'm at least leaning that way).

On desktops, it seems to me that various web ads or email messages encouraging users to install some third-party "security tool" are a major infection vector for malware/spyware. Many, many of the sorts of people who buy Apple products -- and I say this as an Apple user myself -- are... not the sorts of people who routinely make informed decisions about computer security.

Certainly, if third parties are permitted to sell iPhone security software, one might reasonably want them to be subject to considerably more oversight than other software, because of the potential for damage. Again, not because the software is "magic" or other software can't behave badly, but because of the particular ways most real-world users brains just shut down when dealing with security issues. Most people really don't have the mindset for this stuff.

On the PC virus scanning software has become a primary problem. It is a problem that PC users must tolerate because of the virus problem on PC. An PC with virus scanning software is only slightly more usable than an infected PC. This is why few people have such software on the Mac, even though there is an equally serious threat.

Spyware and port monitoring software is something different. Programs like Spybot and the like can be implemented without seriously degrading the user experience. My question i

The iPhone3GS already has built in hardware level encryption of the entire storage device. It also has BSD jails for apps to run inside of and there is the Appstore approval process.

This "software" could not be ordinary software but would rather require Apple opening up the OS to third party extensions which ran at a privileged level above the sandboxes. I just don't see that every happening for a couple of reasons.

1. The Kaspersky software itself could have exploitable flaws and given that it would be running at a higher privilege level than regular apps, that opens up a new attack vector for web based exploits to use.

2. Such software would potentially slow the OS down and cause a significant battery drain for no real gain of protection.

Much has been made about FUD articles that say that other apps can access contacts without asking for permission. No shit sherlock. That is a "feature" of the official API and the app approval process is supposed to ferret out nefarious uses of contact lists. I would hate to see UAC style boxes for apps each time I wanted to see a contact list in a third party app.

He or she knows their stuff and highlighted all of the major issues an API for software like Kaspersky would create for the iPhone OS.

Allowing their software on the iPhone would require destroying the existing security model and it opens up vectors for malware/trojan horses to install at the same privilege level where your iPhone could become a node o a botnet.

Apple is probably waiting until they implement multitasking in the next OS [slashdot.org], so that they can have Kaspersky's software constantly running in the background constantly using 50% of the CPU to block malware.

Apple is probably waiting until they implement multitasking in the next OS [slashdot.org], so that they can have Kaspersky's software constantly running in the background constantly using 50% of the CPU to block malware.

Opening things up for Kaspersky would cause a need for their software but the current state of lock down means that there is no need for their software on the iPhone platform. I don't want to see kernel level access for third party developers on the iPhone ever.

Kaspersky ascribes it to Apple wanting to "control everything", but Apple already doesn't mind turning over control of about 100,000 apps to other developers already.

I think it's something else. Well, two things, actually:

First, I think that Apple wants to keep the word "virus" and the word "iPhone" from being any more linked in the consumer's mind than they have to be. If a range of anti-virus tools becomes available for the iPhone, then it implicitly says that viruses are something you need to be co

This is more about the closed nature of the App Store more than the necessity (or lack thereof) for a security app. In fact, the sporadic and seemingly hypocritical nature of Apple's approval process alone is reason enough for me to not get an iPhone (being stuck on AT&T and having no hardware keyboard are the other two reasons...although I could look past those two if it meant anyone could had an app put up for download.)

Granted, you can jailbreak an iPhone and install whatever you want, but I shouldn't have to hack a phone just so I can use whatever program I want on it. Being held to Apple's decision on what I can or can't use on there is a deal breaker for me.

While AT&T are bad verizon is just as bad if not worse. Ihave watched verizons 3G network slow to a crawl.

To date the spyware and hacks that have been succesful only target jail broken phones. Why because people are stupid and install things wrong.

With apples current approach the buck stops with apple. If an approved app or other malicous software does hit the mass iPhone population apple becomes the only company to blame. Unlike the recent windows virus found on HTC models where HTC can blame any one

While AT&T are bad verizon is just as bad if not worse. Ihave watched verizons 3G network slow to a crawl.

You say that with no context as to where you live, which is very important. Because where I am, AT&T just turned on 3G less than six months ago, and it's slower than Verizon's which has been on for two years, and hasn't slowed down a bit since I got my Droid.

While AT&T are bad verizon is just as bad if not worse. Ihave watched verizons 3G network slow to a crawl.

You say that with no context as to where you live, which is very important. Because where I am, AT&T just turned on 3G less than six months ago, and it's slower than Verizon's which has been on for two years, and hasn't slowed down a bit since I got my Droid.

Says the guy who didn't post where he lives...

Overall, AT&T's 3G coverage is faster than Verizon's. In specific places, such as where AT&T *doesn't* have 3G coverage, or where coverage isn't terribly good, then Verizon's may be faster. But all told, AT&T takes the 3G speed crown in the US.

AT&T's network is only clogged in a few overpopulated cities. The other 95% of the country isn't clogged in the slightest. I have an iPhone 3GS and my friend has a Droid - we both get between 120 KB/sec to 350 KB/sec downloads, typically around the 200-250 KB/sec point. If you want to live in an overpopulated area (NYC, LA, San Fran), then just like how you have massive congestion when trying to travel, you're going to get massive congestion on cell networks too.

It's all location, location, location. I get 1.7Mb/s down and 400+Kb/s up in most places using the SpeedTest app. Then when I walk to the back of the house sometimes I'm on the EDGE (or whatever) network and it's slow as molasses. This is the Palm Beach / Martin County / Broward county area in SE Florida.

AT&T speeds are generally faster than Verizon in my area, but the reception of AT&T phones around where I live is absolutely horrendous...based on what friends who have the iPhone have told me, there are TONS of dead spots around here (Montgomery County, Maryland...hardly the boonies.)

While AT&T are bad verizon is just as bad if not worse. Ihave watched verizons 3G network slow to a crawl.

You trade speed for coverage between AT&T and Verizon. Just like there are tradeoffs between an iPhone or an Android phone or Blackberry. Decide based on the features you want which is best for you personally.

To date the spyware and hacks that have been succesful only target jail broken phones. Why because people are stupid and install things wrong.

But this isn't an anti-hacking application, so that doesn't apply. This is an anti-theft applications. You know, in case your phone is stolen.

So why not approve it? I can think of two reasons:
1) Does things beyond the API or agreement allows, particularly with encryption.
2) Apple provides a

So why not approve it? I can think of two reasons:
1) Does things beyond the API or agreement allows, particularly with encryption.
2) Apple provides an anti-theft service, which this application would compete with.

But this isn't an application that was submitted to Apple and denied, so these don't apply either. Kaspersky never claimed that they ever wrote or submitted an application. All they have said is that Apple has not provided them with an SDK. Now this might be because

No, it actually stops with ME. I can exploit the iPhone OS software and all it takes is you connecting to my Wireless AP. Already having fun pissing off people that come to my house and realize their iPhone QUIT WORKING.

Apple better let those guys get security software made, or Apple is not going to be happy when I sell my exploit.

Wow, the worst "malware" for the Mac can email you and call you! If that was the worst thing that PC malware did, companies like Norton and McAfee would be out of business overnight.

I can't seem to find a link to it now (so maybe I'm wrong), but I thought Apple blocked at least one of the apps where the developer actually called someone. I know the storm8 example you listed has been fixed.

if Apple allows it, it's clearly not malware.

That's absurd. Apple has a process in place to both remove from the store, and if the app is truly egregious, remove rem

Apple has already gone through at least one cycle of making desirable, well-made products to nearly getting out of the hardware business altogether because their stuff was crappy and then back again to making decent goods. At the moment, they rushing headlong into territory that Sony has staked out, of being a company that makes some decent products that discerning people won't touch.

I don't think it will surprise anyone if they have to go through the cycle again.